Skip to content

Instantly share code, notes, and snippets.

@gouthampacha

gouthampacha/manila_antelope_bandit_failures.txt Secret

Created October 19, 2022 05:10
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gouthampacha/c0d96966670956761b2b620be730efe2 to your computer and use it in GitHub Desktop.
Save gouthampacha/c0d96966670956761b2b620be730efe2 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
manila_antelope_bandit_failures.txt
manila$ tox -e bandit
/opt/stack/manila/.tox/bandit/lib/python3.8/site-packages/setuptools/command/easy_install.py:144: EasyInstallDeprecationWarning: easy_install command is deprecated. Use build and pip and other standards-based tools.
warnings.warn(
/opt/stack/manila/.tox/bandit/lib/python3.8/site-packages/setuptools/command/install.py:34: SetuptoolsDeprecationWarning: setup.py install is deprecated. Use build and pip and other standards-based tools.
warnings.warn(
bandit develop-inst-noop: /opt/stack/manila
bandit installed: alabaster==0.7.12,alembic==1.8.1,amqp==5.1.1,appdirs==1.4.4,attrs==22.1.0,autopage==0.5.1,Babel==2.10.3,bandit==1.7.4,bashate==2.1.0,bcrypt==4.0.0,cachetools==5.2.0,certifi==2022.9.14,cffi==1.15.1,charset-normalizer==2.1.1,cliff==4.0.0,cmd2==2.4.2,coverage==6.4.4,cryptography==38.0.1,ddt==1.6.0,debtcollector==2.5.0,decorator==5.1.1,dnspython==2.2.1,docutils==0.19,dogpile.cache==1.1.8,dulwich==0.20.46,eventlet==0.33.1,extras==1.0.0,fasteners==0.18,fixtures==4.0.1,flake8==3.8.4,future==0.18.2,futurist==2.4.1,gitdb==4.0.9,GitPython==3.1.27,greenlet==1.1.3,hacking==3.1.0,idna==3.4,imagesize==1.4.1,importlib-metadata==4.12.0,importlib-resources==5.9.0,iso8601==1.0.2,Jinja2==3.1.2,jmespath==1.0.1,jsonpatch==1.32,jsonpointer==2.3,jsonschema==4.16.0,keystoneauth1==5.0.0,keystonemiddleware==10.1.0,kombu==5.2.4,lxml==4.9.1,Mako==1.2.2,-e git+https://opendev.org/openstack/manila@b8fdf9b9e758fa0945504d1da651445dab8350d7#egg=manila,MarkupSafe==2.1.1,mccabe==0.6.1,msgpack==1.0.4,munch==2.5.0,netaddr==0.8.0,netifaces==0.11.0,openstackdocstheme==3.0.0,openstacksdk==0.101.0,os-api-ref==2.3.0,os-client-config==2.1.0,os-service-types==1.7.0,osc-lib==2.6.2,oslo.cache==3.1.0,oslo.concurrency==5.0.1,oslo.config==9.0.0,oslo.context==5.0.0,oslo.db==12.1.0,oslo.i18n==5.1.0,oslo.log==5.0.0,oslo.messaging==14.0.0,oslo.metrics==0.5.0,oslo.middleware==5.0.0,oslo.policy==4.0.0,oslo.privsep==3.0.1,oslo.reports==2.4.0,oslo.rootwrap==6.3.1,oslo.serialization==5.0.0,oslo.service==3.0.0,oslo.upgradecheck==2.0.0,oslo.utils==6.0.1,oslotest==4.5.0,osprofiler==3.4.3,packaging==21.3,paramiko==2.11.0,Paste==3.5.2,PasteDeploy==2.1.1,pbr==5.10.0,pkgutil_resolve_name==1.3.10,prettytable==3.4.1,prometheus-client==0.14.1,psutil==5.9.2,psycopg2-binary==2.9.3,pycadf==3.1.1,pycodestyle==2.6.0,pycparser==2.21,pyflakes==2.2.0,Pygments==2.13.0,pyinotify==0.9.6,PyMySQL==1.0.2,PyNaCl==1.5.0,pyOpenSSL==22.0.0,pyparsing==3.0.9,pyperclip==1.8.2,pyrsistent==0.18.1,python-cinderclient==9.1.0,python-dateutil==2.8.2,python-glanceclient==4.1.0,python-keystoneclient==5.0.1,python-neutronclient==8.1.0,python-novaclient==18.1.0,python-subunit==1.4.0,pytz==2022.2.1,PyYAML==6.0,repoze.lru==0.7,requests==2.28.1,requests-mock==1.10.0,requestsexceptions==1.4.0,rfc3986==2.0.0,Routes==2.5.1,simplejson==3.17.6,six==1.16.0,smmap==5.0.0,snowballstemmer==2.2.0,Sphinx==5.1.1,sphinxcontrib-applehelp==1.0.2,sphinxcontrib-devhelp==1.0.2,sphinxcontrib-htmlhelp==2.0.0,sphinxcontrib-jsmath==1.0.1,sphinxcontrib-qthelp==1.0.3,sphinxcontrib-serializinghtml==1.1.5,SQLAlchemy==1.4.41,sqlalchemy-migrate==0.13.0,sqlparse==0.4.2,statsd==3.3.0,stestr==4.0.0,stevedore==4.0.0,Tempita==0.5.2,tenacity==8.0.1,testresources==2.0.1,testscenarios==0.5.0,testtools==2.5.0,tooz==3.1.0,urllib3==1.26.12,vine==5.0.0,voluptuous==0.13.1,warlock==2.0.1,wcwidth==0.2.5,WebOb==1.8.7,wrapt==1.14.1,yappi==1.3.6,zipp==3.8.1
bandit run-test-pre: PYTHONHASHSEED='1755623407'
bandit run-test: commands[0] | bandit -r manila -x tests -n5
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.8.10
449 [0.. 50.. 100.. 150.. 200.. 250.. 300.. 350.. 400.. ]
Run started:2022-10-19 05:04:37.406472
Test results:
>> Issue: [B102:exec_used] Use of exec detected.
Severity: Medium Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
Location: manila/cmd/manage.py:168:8
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b102_exec_used.html
166 arguments: path
167 """
168 exec(compile(open(path).read(), path, 'exec'), locals(), globals())
169
170
--------------------------------------------------
>> Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
CWE: CWE-377 (https://cwe.mitre.org/data/definitions/377.html)
Location: manila/data/manager.py:39:16
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b108_hardcoded_tmp_directory.html
37 cfg.StrOpt(
38 'mount_tmp_location',
39 default='/tmp/',
40 help="Temporary path to create and mount shares during migration."),
41 cfg.BoolOpt(
--------------------------------------------------
>> Issue: [B112:try_except_continue] Try, Except, Continue detected.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: manila/network/linux/ip_lib.py:349:12
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b112_try_except_continue.html
347 try:
348 subnet = device_route_line.split()[0]
349 except Exception:
350 continue
351 subnet_route_list_lines = self._run(
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: manila/rpc.py:74:4
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
72 def cleanup():
73 global TRANSPORT, NOTIFICATION_TRANSPORT, NOTIFIER
74 assert TRANSPORT is not None
75 assert NOTIFICATION_TRANSPORT is not None
76 assert NOTIFIER is not None
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: manila/rpc.py:75:4
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
73 global TRANSPORT, NOTIFICATION_TRANSPORT, NOTIFIER
74 assert TRANSPORT is not None
75 assert NOTIFICATION_TRANSPORT is not None
76 assert NOTIFIER is not None
77 TRANSPORT.cleanup()
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: manila/rpc.py:76:4
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
74 assert TRANSPORT is not None
75 assert NOTIFICATION_TRANSPORT is not None
76 assert NOTIFIER is not None
77 TRANSPORT.cleanup()
78 NOTIFICATION_TRANSPORT.cleanup()
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: manila/rpc.py:146:4
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
144
145 def get_client(target, version_cap=None, serializer=None):
146 assert TRANSPORT is not None
147 serializer = RequestContextSerializer(serializer)
148 return messaging.RPCClient(TRANSPORT,
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: manila/rpc.py:155:4
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
153
154 def get_server(target, endpoints, serializer=None):
155 assert TRANSPORT is not None
156 access_policy = dispatcher.DefaultRPCAccessPolicy
157 serializer = RequestContextSerializer(serializer)
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: manila/rpc.py:168:4
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
166 @utils.if_notifications_enabled
167 def get_notifier(service=None, host=None, publisher_id=None):
168 assert NOTIFIER is not None
169 if not publisher_id:
170 publisher_id = "%s.%s" % (service, host or CONF.host)
--------------------------------------------------
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.
Severity: Low Confidence: High
CWE: CWE-330 (https://cwe.mitre.org/data/definitions/330.html)
Location: manila/scheduler/drivers/chance.py:58:25
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b311-random
56 raise exception.NoValidHost(reason=msg)
57
58 return hosts[int(random.random() * len(hosts))]
59
60 def schedule_create_share(self, context, request_spec, filter_properties):
--------------------------------------------------
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.
Severity: Low Confidence: High
CWE: CWE-330 (https://cwe.mitre.org/data/definitions/330.html)
Location: manila/service.py:167:32
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b311-random
165 if self.periodic_interval:
166 if self.periodic_fuzzy_delay:
167 initial_delay = random.randint(0, self.periodic_fuzzy_delay)
168 else:
169 initial_delay = None
--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: manila/service.py:242:8
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b110_try_except_pass.html
240 try:
241 self.rpcserver.stop()
242 except Exception:
243 pass
244
--------------------------------------------------
>> Issue: [B104:hardcoded_bind_all_interfaces] Possible binding to all interfaces.
Severity: Medium Confidence: Medium
CWE: CWE-605 (https://cwe.mitre.org/data/definitions/605.html)
Location: manila/service.py:322:54
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b104_hardcoded_bind_all_interfaces.html
320 rpc.init(CONF)
321 self.app = self.loader.load_app(name)
322 self.host = getattr(CONF, '%s_listen' % name, "0.0.0.0")
323 self.port = getattr(CONF, '%s_listen_port' % name, 0)
324 self.workers = getattr(CONF, '%s_workers' % name, None)
--------------------------------------------------
>> Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
CWE: CWE-377 (https://cwe.mitre.org/data/definitions/377.html)
Location: manila/share/drivers/container/driver.py:80:23
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b108_hardcoded_tmp_directory.html
78 "is used to provide storage for a share."),
79 cfg.StrOpt("container_volume_mount_path",
80 default="/tmp/shares",
81 help="Folder name in host to which logical volume will be "
82 "mounted prior to providing access to it from a "
--------------------------------------------------
>> Issue: [B410:blacklist] Using etree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace etree with the equivalent defusedxml package.
Severity: Low Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/dell_emc/common/enas/xml_api_parser.py:19:0
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b410-import-lxml
17 import re
18
19 from lxml import etree
20
21
22 class XMLAPIParser(object):
23 def __init__(self):
--------------------------------------------------
>> Issue: [B307:blacklist] Use of possibly insecure function - consider using safer ast.literal_eval.
Severity: Medium Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
Location: manila/share/drivers/dell_emc/common/enas/xml_api_parser.py:67:20
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b307-eval
65 if func in vars(XMLAPIParser):
66 if action == 'start':
67 eval('self.' + func)(elem, result)
68 elif action == 'end':
69 eval('self.' + func)()
--------------------------------------------------
>> Issue: [B307:blacklist] Use of possibly insecure function - consider using safer ast.literal_eval.
Severity: Medium Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
Location: manila/share/drivers/dell_emc/common/enas/xml_api_parser.py:69:20
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b307-eval
67 eval('self.' + func)(elem, result)
68 elif action == 'end':
69 eval('self.' + func)()
70
71 return result
--------------------------------------------------
>> Issue: [B410:blacklist] Using builder to parse untrusted XML data is known to be vulnerable to XML attacks. Replace builder with the equivalent defusedxml package.
Severity: Low Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/dell_emc/plugins/powermax/object_manager.py:19:0
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b410-import-lxml
17 import re
18
19 from lxml import builder
20 from lxml import etree as ET
21 from oslo_concurrency import processutils
--------------------------------------------------
>> Issue: [B410:blacklist] Using etree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace etree with the equivalent defusedxml package.
Severity: Low Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/dell_emc/plugins/powermax/object_manager.py:20:0
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b410-import-lxml
18
19 from lxml import builder
20 from lxml import etree as ET
21 from oslo_concurrency import processutils
22 from oslo_log import log
--------------------------------------------------
>> Issue: [B307:blacklist] Use of possibly insecure function - consider using safer ast.literal_eval.
Severity: Medium Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
Location: manila/share/drivers/dell_emc/plugins/powermax/object_manager.py:52:32
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b307-eval
50 for item in obj_types:
51 key = item.__name__
52 self.context[key] = eval(key)(self.connectors,
53 elt_maker,
54 xml_parser,
--------------------------------------------------
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.
Severity: Low Confidence: High
CWE: CWE-330 (https://cwe.mitre.org/data/definitions/330.html)
Location: manila/share/drivers/dell_emc/plugins/unity/connection.py:741:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b311-random
739 def _choose_port(sp_ports_map, sp):
740 ports = sp_ports_map[sp.get_id()]
741 return random.choice(list(ports))
742
743 @staticmethod
--------------------------------------------------
>> Issue: [B410:blacklist] Using builder to parse untrusted XML data is known to be vulnerable to XML attacks. Replace builder with the equivalent defusedxml package.
Severity: Low Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/dell_emc/plugins/vnx/object_manager.py:19:0
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b410-import-lxml
17 import re
18
19 from lxml import builder
20 from lxml import etree as ET
21 from oslo_concurrency import processutils
--------------------------------------------------
>> Issue: [B410:blacklist] Using etree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace etree with the equivalent defusedxml package.
Severity: Low Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/dell_emc/plugins/vnx/object_manager.py:20:0
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b410-import-lxml
18
19 from lxml import builder
20 from lxml import etree as ET
21 from oslo_concurrency import processutils
22 from oslo_log import log
--------------------------------------------------
>> Issue: [B307:blacklist] Use of possibly insecure function - consider using safer ast.literal_eval.
Severity: Medium Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
Location: manila/share/drivers/dell_emc/plugins/vnx/object_manager.py:52:32
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b307-eval
50 for item in obj_types:
51 key = item.__name__
52 self.context[key] = eval(key)(self.connectors,
53 elt_maker,
54 xml_parser,
--------------------------------------------------
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
Severity: Medium Confidence: Medium
CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
Location: manila/share/drivers/ganesha/manager.py:622:27
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b608_hardcoded_sql_expressions.html
620 out = self.execute(
621 "sqlite3", self.ganesha_db_path,
622 bumpcode + 'select * from ganesha where key = "exportid";',
623 run_as_root=False)[0]
624 match = re.search(r'\Aexportid\|(\d+)$', out)
--------------------------------------------------
>> Issue: [B104:hardcoded_bind_all_interfaces] Possible binding to all interfaces.
Severity: Medium Confidence: Medium
CWE: CWE-605 (https://cwe.mitre.org/data/definitions/605.html)
Location: manila/share/drivers/ganesha/utils.py:150:35
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b104_hardcoded_bind_all_interfaces.html
148 """
149 if access_rule['access_to'] == '0.0.0.0/0':
150 access_rule['access_to'] = '0.0.0.0'
151 LOG.debug("Set access_to field to '0.0.0.0' in ganesha back end.")
152
--------------------------------------------------
>> Issue: [B405:blacklist] Using xml.etree.cElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Severity: Low Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/glusterfs/common.py:20:0
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b405-import-xml-etree
18
19 import re
20 import xml.etree.cElementTree as etree
21
22 from oslo_config import cfg
23 from oslo_log import log
--------------------------------------------------
>> Issue: [B313:blacklist] Using xml.etree.cElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/glusterfs/common.py:258:17
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-celementtree
256 )
257
258 volxml = etree.fromstring(out)
259 self.xml_response_check(volxml, args[1:], './volInfo/volumes/count')
260 for e in volxml.findall(".//option"):
--------------------------------------------------
>> Issue: [B313:blacklist] Using xml.etree.cElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/glusterfs/common.py:285:21
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-celementtree
283
284 try:
285 optxml = etree.fromstring(out)
286 except Exception:
287 # non-xml output indicates that GlusterFS backend does not support
--------------------------------------------------
>> Issue: [B405:blacklist] Using xml.etree.cElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Severity: Low Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/glusterfs/layout_directory.py:23:0
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b405-import-xml-etree
21 from oslo_config import cfg
22 from oslo_log import log
23 import xml.etree.cElementTree as etree
24
25 from manila import exception
26 from manila.i18n import _
--------------------------------------------------
>> Issue: [B313:blacklist] Using xml.etree.cElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/glusterfs/layout_directory.py:242:17
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-celementtree
240 raise
241
242 volxml = etree.fromstring(out)
243 usage_byte = volxml.find('./volQuota/limit/used_space').text
244 usage = utils.translate_string_size_to_float(usage_byte)
--------------------------------------------------
>> Issue: [B405:blacklist] Using xml.etree.cElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Severity: Low Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/glusterfs/layout_volume.py:24:0
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b405-import-xml-etree
22 import string
23 import tempfile
24 import xml.etree.cElementTree as etree
25
26 from oslo_config import cfg
27 from oslo_log import log
--------------------------------------------------
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.
Severity: Low Confidence: High
CWE: CWE-330 (https://cwe.mitre.org/data/definitions/330.html)
Location: manila/share/drivers/glusterfs/layout_volume.py:319:22
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b311-random
317 # even distribution of share backing volumes among
318 # Gluster clusters.
319 chosen_host = random.choice(list(chosen_hostmap.keys()))
320 # Within a host's volumes, choose alphabetically first,
321 # to make it predictable.
--------------------------------------------------
>> Issue: [B313:blacklist] Using xml.etree.cElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/glusterfs/layout_volume.py:564:21
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-celementtree
562 )
563
564 outxml = etree.fromstring(out)
565 opret = int(common.volxml_get(outxml, 'opRet'))
566 operrno = int(common.volxml_get(outxml, 'opErrno'))
--------------------------------------------------
>> Issue: [B313:blacklist] Using xml.etree.cElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/glusterfs/layout_volume.py:606:17
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-celementtree
604 )
605
606 outxml = etree.fromstring(out)
607 gluster_mgr.xml_response_check(outxml, args[1:])
608
--------------------------------------------------
>> Issue: [B501:request_with_no_cert_validation] Requests call with verify=False disabling SSL certificate checks, security issue.
Severity: High Confidence: High
CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html)
Location: manila/share/drivers/hitachi/hsp/rest.py:36:15
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b501_request_with_no_cert_validation.html
34 def _send_post(self, url, payload=None):
35 resp = requests.post(url, auth=(self.username, self.password),
36 data=payload, verify=False)
37
38 if resp.status_code == 202:
39 self._wait_job_status(resp.headers['location'], 'COMPLETE')
--------------------------------------------------
>> Issue: [B501:request_with_no_cert_validation] Requests call with verify=False disabling SSL certificate checks, security issue.
Severity: High Confidence: High
CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html)
Location: manila/share/drivers/hitachi/hsp/rest.py:47:15
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b501_request_with_no_cert_validation.html
45 def _send_get(self, url, payload=None):
46 resp = requests.get(url, auth=(self.username, self.password),
47 data=payload, verify=False)
48
49 if resp.status_code == 200:
50 if resp.content == 'null':
--------------------------------------------------
>> Issue: [B501:request_with_no_cert_validation] Requests call with verify=False disabling SSL certificate checks, security issue.
Severity: High Confidence: High
CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html)
Location: manila/share/drivers/hitachi/hsp/rest.py:61:15
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b501_request_with_no_cert_validation.html
59 def _send_delete(self, url, payload=None):
60 resp = requests.delete(url, auth=(self.username, self.password),
61 data=payload, verify=False)
62
63 if resp.status_code == 202:
64 self._wait_job_status(resp.headers['location'], 'COMPLETE')
--------------------------------------------------
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
Severity: Medium Confidence: High
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
Location: manila/share/drivers/hpe/hpe_3par_driver.py:360:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b303-md5
358 file_size = os.path.getsize(source_file)
359
360 sha1 = hashlib.sha1()
361 sha1.update(("blob %u\0" % file_size).encode('utf-8'))
362
--------------------------------------------------
>> Issue: [B405:blacklist] Using ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Severity: Low Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/huawei/huawei_nas.py:17:0
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b405-import-xml-etree
15
16 """Huawei Nas Driver for Huawei storage arrays."""
17 from xml.etree import ElementTree as ET
18
19 from oslo_config import cfg
20 from oslo_log import log
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.parse with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/huawei/huawei_nas.py:88:19
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
86
87 try:
88 tree = ET.parse(filename)
89 root = tree.getroot()
90 except Exception as err:
--------------------------------------------------
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.
Severity: Low Confidence: High
CWE: CWE-330 (https://cwe.mitre.org/data/definitions/330.html)
Location: manila/share/drivers/huawei/v3/connection.py:1392:29
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b311-random
1390 # Set AD config.
1391 digits = string.digits
1392 random_id = ''.join([random.choice(digits) for i in range(9)])
1393 system_name = constants.SYSTEM_NAME_PREFIX + random_id
1394
--------------------------------------------------
>> Issue: [B405:blacklist] Using ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Severity: Low Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/huawei/v3/helper.py:20:0
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b405-import-xml-etree
18 import requests
19 import time
20 from xml.etree import ElementTree as ET
21
22 from oslo_log import log
23 from oslo_serialization import jsonutils
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.parse with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/huawei/v3/helper.py:188:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
186 logininfo = {}
187 filename = self.configuration.manila_huawei_conf_file
188 tree = ET.parse(filename)
189 root = tree.getroot()
190 RestURL = root.findtext('Storage/RestURL')
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.parse with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/huawei/v3/helper.py:373:19
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
371 filename = self.configuration.manila_huawei_conf_file
372 try:
373 tree = ET.parse(filename)
374 root = tree.getroot()
375 except Exception as err:
--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'manilanobody'
Severity: Low Confidence: Medium
CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html)
Location: manila/share/drivers/macrosan/macrosan_helper.py:99:26
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b105_hardcoded_password_string.html
97 else:
98 user_name = 'manilanobody'
99 user_passwd = 'manilanobody'
100 group_name = 'manilanobody'
101 ret = self._ensure_user(user_name, user_passwd, group_name)
--------------------------------------------------
>> Issue: [B410:blacklist] Using etree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace etree with the equivalent defusedxml package.
Severity: Low Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/netapp/dataontap/client/api.py:24:0
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b410-import-lxml
22 import re
23
24 from lxml import etree
25 from oslo_log import log
26 from oslo_serialization import jsonutils
--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'basic_auth'
Severity: Low Confidence: Medium
CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html)
Location: manila/share/drivers/netapp/dataontap/client/api.py:71:23
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b105_hardcoded_password_string.html
69 EVSERVER_MIGRATION_TO_NON_AFF_CLUSTER = '13172984'
70
71 STYLE_LOGIN_PASSWORD = 'basic_auth'
72 TRANSPORT_TYPE_HTTP = 'http'
73 TRANSPORT_TYPE_HTTPS = 'https'
--------------------------------------------------
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
Severity: Medium Confidence: High
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
Location: manila/share/drivers/netapp/dataontap/client/client_cmode.py:1561:22
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b303-md5
1559 self.configure_dns(security_service)
1560
1561 config_name = hashlib.md5(
1562 security_service['id'].encode("latin-1")).hexdigest()
1563 api_args = {
1564 'ldap-client-config': config_name,
--------------------------------------------------
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
Severity: Medium Confidence: High
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
Location: manila/share/drivers/netapp/dataontap/client/client_cmode.py:1622:12
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b303-md5
1620 def _delete_ldap_client(self, security_service):
1621 config_name = (
1622 hashlib.md5(security_service['id'].encode("latin-1")).hexdigest())
1623 api_args = {'ldap-client-config': config_name}
1624 self.send_request('ldap-client-delete', api_args)
--------------------------------------------------
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
Severity: Medium Confidence: High
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
Location: manila/share/drivers/netapp/dataontap/client/client_cmode.py:1629:22
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b303-md5
1627 def configure_ldap(self, security_service, timeout=30):
1628 """Configures LDAP on Vserver."""
1629 config_name = hashlib.md5(
1630 security_service['id'].encode("latin-1")).hexdigest()
1631 self._create_ldap_client(security_service)
1632 self._enable_ldap_client(config_name, timeout=timeout)
--------------------------------------------------
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
Severity: Medium Confidence: High
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
Location: manila/share/drivers/netapp/dataontap/client/client_cmode.py:1657:12
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b303-md5
1655
1656 new_config_name = (
1657 hashlib.md5(
1658 new_security_service['id'].encode("latin-1")).hexdigest())
1659 # Create ldap config with the new client
1660 api_args = {'client-config': new_config_name, 'client-enabled': 'true'}
--------------------------------------------------
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
Severity: Medium Confidence: High
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
Location: manila/share/drivers/netapp/dataontap/client/client_cmode.py:1669:20
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b303-md5
1667 if e.code != netapp_api.EOBJECTNOTFOUND:
1668 current_config_name = (
1669 hashlib.md5(
1670 current_security_service['id'].encode(
1671 "latin-1")).hexdigest())
1672 msg = _("An error occurred while deleting original LDAP "
1673 "client configuration %(current_config)s. "
--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: manila/share/drivers/netapp/utils.py:221:8
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b110_try_except_pass.html
219 try:
220 self._version = version.version_info.version_string()
221 except Exception:
222 pass
223
--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: manila/share/drivers/netapp/utils.py:227:8
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b110_try_except_pass.html
225 try:
226 self._release = version.version_info.release_string()
227 except Exception:
228 pass
229
--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: manila/share/drivers/netapp/utils.py:233:8
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b110_try_except_pass.html
231 try:
232 self._platform = platform.platform()
233 except Exception:
234 pass
235
--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: manila/share/drivers/netapp/utils.py:249:8
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b110_try_except_pass.html
247 if ver:
248 self._version = ver
249 except Exception:
250 pass
251 try:
--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: manila/share/drivers/netapp/utils.py:255:8
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b110_try_except_pass.html
253 if rel:
254 self._release = rel
255 except Exception:
256 pass
257
--------------------------------------------------
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
Severity: Medium Confidence: High
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
Location: manila/share/drivers/nexenta/ns5/jsonrpc.py:554:20
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b303-md5
552 if isinstance(path, str):
553 path = path.encode('utf-8')
554 self.lock = hashlib.md5(path).hexdigest()
555
556 def url(self, path):
--------------------------------------------------
>> Issue: [B405:blacklist] Using xml.etree.cElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Severity: Low Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/qnap/api.py:26:4
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b405-import-xml-etree
24
25 try:
26 import xml.etree.cElementTree as ET
27 except ImportError:
28 import xml.etree.ElementTree as ET
--------------------------------------------------
>> Issue: [B405:blacklist] Using xml.etree.ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Severity: Low Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/qnap/api.py:28:4
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b405-import-xml-etree
26 import xml.etree.cElementTree as ET
27 except ImportError:
28 import xml.etree.ElementTree as ET
29
30 from oslo_log import log as logging
--------------------------------------------------
>> Issue: [B323:blacklist] By default, Python will create a secure, verified ssl context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks.
Severity: Medium Confidence: High
CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html)
Location: manila/share/drivers/qnap/api.py:86:26
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b323-unverified-context
84 if isSSL:
85 if hasattr(ssl, '_create_unverified_context'):
86 context = ssl._create_unverified_context()
87 connection = http_client.HTTPSConnection(ip,
88 port=port,
--------------------------------------------------
>> Issue: [B309:blacklist] Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033
Severity: Medium Confidence: High
CWE: CWE-319 (https://cwe.mitre.org/data/definitions/319.html)
Location: manila/share/drivers/qnap/api.py:87:29
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b309-httpsconnection
85 if hasattr(ssl, '_create_unverified_context'):
86 context = ssl._create_unverified_context()
87 connection = http_client.HTTPSConnection(ip,
88 port=port,
89 context=context)
90 else:
91 connection = http_client.HTTPSConnection(ip,
--------------------------------------------------
>> Issue: [B309:blacklist] Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033
Severity: Medium Confidence: High
CWE: CWE-319 (https://cwe.mitre.org/data/definitions/319.html)
Location: manila/share/drivers/qnap/api.py:91:29
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b309-httpsconnection
89 context=context)
90 else:
91 connection = http_client.HTTPSConnection(ip,
92 port=port)
93 else:
94 connection = http_client.HTTPConnection(ip, port)
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/qnap/api.py:111:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
109 LOG.debug('response data: %s', data)
110
111 root = ET.fromstring(data)
112
113 display_model_name = root.find('model/displayModelName').text
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/qnap/api.py:161:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
159
160 res_details = self._execute_and_get_response_details(self.ip, url)
161 root = ET.fromstring(res_details['data'])
162
163 if root.find('authPassed').text == '0':
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/qnap/api.py:228:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
226
227 res_details = self._execute_and_get_response_details(self.ip, url)
228 root = ET.fromstring(res_details['data'])
229
230 if root.find('authPassed').text == '0':
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/qnap/api.py:265:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
263
264 res_details = self._execute_and_get_response_details(self.ip, url)
265 root = ET.fromstring(res_details['data'])
266
267 if root.find('authPassed').text == '0':
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/qnap/api.py:290:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
288 res_details = self._execute_and_get_response_details(self.ip, url)
289
290 root = ET.fromstring(res_details['data'])
291 if root.find('authPassed').text == '0':
292 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED)
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/qnap/api.py:324:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
322
323 res_details = self._execute_and_get_response_details(self.ip, url)
324 root = ET.fromstring(res_details['data'])
325 if root.find('authPassed').text == '0':
326 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED)
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/qnap/api.py:361:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
359
360 res_details = self._execute_and_get_response_details(self.ip, url)
361 root = ET.fromstring(res_details['data'])
362 if root.find('authPassed').text == '0':
363 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED)
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/qnap/api.py:389:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
387
388 res_details = self._execute_and_get_response_details(self.ip, url)
389 root = ET.fromstring(res_details['data'])
390 if root.find('authPassed').text == '0':
391 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED)
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/qnap/api.py:431:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
429
430 res_details = self._execute_and_get_response_details(self.ip, url)
431 root = ET.fromstring(res_details['data'])
432
433 if root.find('authPassed').text == '0':
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/qnap/api.py:453:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
451
452 res_details = self._execute_and_get_response_details(self.ip, url)
453 root = ET.fromstring(res_details['data'])
454 if root.find('authPassed').text == '0':
455 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED)
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/qnap/api.py:485:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
483
484 res_details = self._execute_and_get_response_details(self.ip, url)
485 root = ET.fromstring(res_details['data'])
486 if root.find('authPassed').text == '0':
487 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED)
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/qnap/api.py:525:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
523
524 res_details = self._execute_and_get_response_details(self.ip, url)
525 root = ET.fromstring(res_details['data'])
526
527 if root.find('authPassed').text == '0':
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/qnap/api.py:548:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
546
547 res_details = self._execute_and_get_response_details(self.ip, url)
548 root = ET.fromstring(res_details['data'])
549 if root.find('authPassed').text == '0':
550 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED)
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/qnap/api.py:584:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
582
583 res_details = self._execute_and_get_response_details(self.ip, url)
584 root = ET.fromstring(res_details['data'])
585 if root.find('authPassed').text == '0':
586 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED)
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/qnap/api.py:608:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
606
607 res_details = self._execute_and_get_response_details(self.ip, url)
608 root = ET.fromstring(res_details['data'])
609 if root.find('authPassed').text == '0':
610 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED)
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/qnap/api.py:630:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
628
629 res_details = self._execute_and_get_response_details(self.ip, url)
630 root = ET.fromstring(res_details['data'])
631 if root.find('authPassed').text == '0':
632 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED)
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/qnap/api.py:653:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
651
652 res_details = self._execute_and_get_response_details(self.ip, url)
653 root = ET.fromstring(res_details['data'])
654 if root.find('authPassed').text == '0':
655 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED)
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: manila/share/drivers/qnap/api.py:684:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
682
683 res_details = self._execute_and_get_response_details(self.ip, url)
684 root = ET.fromstring(res_details['data'])
685 if root.find('authPassed').text == '0':
686 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED)
--------------------------------------------------
>> Issue: [B501:request_with_no_cert_validation] Requests call with verify=False disabling SSL certificate checks, security issue.
Severity: High Confidence: High
CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html)
Location: manila/share/drivers/tegile/tegile.py:133:18
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b501_request_with_no_cert_validation.html
131 data=params,
132 auth=(self._username, self._password),
133 verify=False)
134 else:
135 req = requests.get(url,
136 auth=(self._username, self._password),
137 verify=False)
138
--------------------------------------------------
>> Issue: [B501:request_with_no_cert_validation] Requests call with verify=False disabling SSL certificate checks, security issue.
Severity: High Confidence: High
CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html)
Location: manila/share/drivers/tegile/tegile.py:137:18
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b501_request_with_no_cert_validation.html
135 req = requests.get(url,
136 auth=(self._username, self._password),
137 verify=False)
138
139 if fine_logging:
140 LOG.debug('TegileAPIExecutor(%(classname)s) method: %(method)s, '
141 'return code: %(retcode)s',
--------------------------------------------------
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
Severity: Medium Confidence: High
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
Location: manila/share/drivers/veritas/veritas_isa.py:144:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b303-md5
142 name1 = name[:index]
143 name2 = name[index:]
144 crc1 = hashlib.md5(name1.encode('utf-8')).hexdigest()[:8]
145 crc2 = hashlib.md5(name2.encode('utf-8')).hexdigest()[:8]
146 return crc1 + '-' + crc2
--------------------------------------------------
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
Severity: Medium Confidence: High
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
Location: manila/share/drivers/veritas/veritas_isa.py:145:15
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b303-md5
143 name2 = name[index:]
144 crc1 = hashlib.md5(name1.encode('utf-8')).hexdigest()[:8]
145 crc2 = hashlib.md5(name2.encode('utf-8')).hexdigest()[:8]
146 return crc1 + '-' + crc2
147
--------------------------------------------------
>> Issue: [B310:blacklist] Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.
Severity: Medium Confidence: High
CWE: CWE-22 (https://cwe.mitre.org/data/definitions/22.html)
Location: manila/share/drivers/zfssa/restclient.py:285:27
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b310-urllib-urlopen
283 while retry < maxreqretries:
284 try:
285 response = urlrequest.urlopen(req, timeout=self.timeout)
286 except urlerror.HTTPError as err:
287 if err.code == http_client.NOT_FOUND:
--------------------------------------------------
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function.
Severity: Medium Confidence: High
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
Location: manila/share/manager.py:404:36
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b303-md5
402
403 if new_backend_info:
404 new_backend_info_hash = hashlib.sha1(str(
405 sorted(new_backend_info.items())).encode('utf-8')).hexdigest()
406 if (old_backend_info_hash == new_backend_info_hash and
407 backend_info_implemented):
--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: manila/test.py:199:12
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b110_try_except_pass.html
197 try:
198 x.kill()
199 except Exception:
200 pass
201
--------------------------------------------------
>> Issue: [B601:paramiko_calls] Possible shell injection via Paramiko call, check inputs are properly sanitized.
Severity: Medium Confidence: Medium
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
Location: manila/utils.py:710:20
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b601_paramiko_calls.html
708 cmd = 'cat > "%s"' % tmp_filename
709 cmd2 = 'mv -f "%s" "%s"' % (tmp_filename, filename)
710 stdin, __, __ = ssh.exec_command(cmd)
711 stdin.write(contents)
712 stdin.close()
--------------------------------------------------
>> Issue: [B601:paramiko_calls] Possible shell injection via Paramiko call, check inputs are properly sanitized.
Severity: Medium Confidence: Medium
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
Location: manila/utils.py:714:4
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b601_paramiko_calls.html
712 stdin.close()
713 stdin.channel.shutdown_write()
714 ssh.exec_command(cmd2)
--------------------------------------------------
Code scanned:
Total lines of code: 101135
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0
Low: 34
Medium: 52
High: 5
Total issues (by confidence):
Undefined: 0
Low: 0
Medium: 9
High: 82
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment